DOCSLIB.ORG

Ssoscan: Automated Testing of Web Applications for Single Sign-On

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Ssoscan: Automated Testing of Web Applications for Single Sign-On SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities Yuchen Zhou and David Evans, University of Virginia https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/zhou This paper is included in the Proceedings of the 23rd USENIX Security Symposium. August 20–22, 2014 • San Diego, CA ISBN 978-1-931971-15-7 Open access to the Proceedings of the 23rd USENIX Security Symposium is sponsored by USENIX SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities Yuchen Zhou David Evans University of Virginia [yuchen, evans]@virginia.edu http://SSOScan.org Abstract To better understand and mitigate these risks, we de- Correctly integrating third-party services into web ap- veloped SSOScan, an automated vulnerability checker plications is challenging, and mistakes can have grave for applications using SSO. SSOScan takes a website consequences when third-party services are used for URL as input, determines if that site uses Facebook SSO, security-critical tasks such as authentication and autho- and automatically signs into the site using Facebook test rization. Developers often misunderstand integration re- accounts and completes the registration process when quirements and make critical mistakes when integrating necessary. Then, SSOScan simulates several attacks on services such as single sign-on APIs. Since traditional the site while observing the responses and monitoring programming techniques are hard to apply to programs network traffic to automatically determine if the appli- running inside black-box web servers, we propose to de- cation is vulnerable to any of the tested vulnerabilities. tect vulnerabilities by probing behaviors of the system. We focus only on Facebook SSO in this work, but our This paper describes the design and implementation of approach could be used to check SSO integrations using SSOScan, an automatic vulnerability checker for appli- other identity providers or other protocols. Many of our cations using Facebook Single Sign-On (SSO) APIs. We techniques could also be adapted to scan for vulnerabili- used SSOScan to study the twenty thousand top-ranked ties in integrating other security-critical services such as websites for five SSO vulnerabilities. Of the 1660 sites online payments and file sharing APIs. in our study that employ Facebook SSO, over 20% were found to suffer from at least one serious vulnerability. 1.1 Contributions 1 Introduction Our work makes two types of contributions: those related to the construction of our scanning tool which are largely Single Sign-On (SSO) services are increasingly used to independent of the particular vulnerabilities, and those implement authentication for modern applications. SSO- resulting from our large-scale study of Facebook SSO enabled applications allow users to log into an applica- implementations. tion using an established account (with a service such as Facebook or Twitter) and connect their account on the SSOScan. We explain the design and implementation of new site to an established Internet identity. Should the SSOScan (Section 3), as well as how to handle some of application need more information from the user, it may the challenges in the automation process. We describe ask the user for extra permissions from the established techniques that automatically perform user interactions service. Once granted, the requested information is re- to walk through the SSO process (Section 3.1), includ- turned to the application, which can then be used in the ing clicking the correct buttons and filling in registration transparent account registration process. forms. We collected information of almost 30,000 click Although these services provide SDKs intended to en- attempts for sites that implement Facebook SSO which able developers without security expertise to integrate shows in detail how the individual heuristics are affecting their services, actually integrating security-critical third- SSOScan’s behavior (Section 5.2). This provides exper- party services correctly can be difficult. Wang et al. iden- imental evidence to support our design choices and shed tified several ways applications integrating SSO SDKs light on future research that shares a similar goal. SSO- can be vulnerable to serious attacks even when develop- Scan can detect whether a target application contains any ers closely follow the documentation [27]. of the five vulnerabilities listed in Section 2.2 with an USENIX Association 23rd USENIX Security Symposium 495 average testing time of 3.5 minutes, and is able to check used in the first exchange. 792 (81%) of the 973 websites that implement functional A signed request is a base64 encoded Facebook SSO from the top 10,000 with no human inter- Signed request. string that contains a user identity, a code, and a signa- vention at all. ture that can be verified using an application’s app secret Large-scale study. We ran SSOScan on the top 20,000 and some other metainformation. Once issued, it is not US websites (Section 4). Key results from the study in- tied to Facebook (except for the enveloped code), and the clude finding at least one vulnerability in 345 of the 1660 signature can be verified locally. sites that use Facebook SSO (Section 4.1). We also learn how vulnerability rates vary due to different ways of in- tegrating Facebook SSO (Section 4.1.1). We manually 2.2 Vulnerabilities analyzed the 228 sites ranked in the top 10,000 that SSO- Our interest in building an automatic scanning tool was Scan cannot test automatically and report on the reasons initially motivated by the access token misuse vulnera- for failures (Section 4.2). Our study reveals the complex- bility reported by Wang et al. [27]. We further identified ity of automatically interacting with web sites that follow four new vulnerabilities that are both serious and suitable a myriad of designs, while suggesting techniques that for automatic testing. The first two vulnerabilities con- could improve future automated testing tools. In Sec- cern confusions about how authentication and authoriza- tion 6, we discuss our experiences reporting the vulnera- tion are done; the other three concern failures to protect bilities to site owners and possible ways SSOScan could important secrets. be deployed. Access token misuse. This vulnerability stems from confusion about authentication and authorization. In 2 Background OAuth 2.0, an access token is intended for authoriza- tion purposes only because it is not tied to any specific This section provides a brief introduction to single sign- application. When a service uses an access token to au- on systems, describes the vulnerabilities we checked, and thenticate users, it will also accept ones granted to any summarizes relevant previous work. other application. Figure 1 illustrates an impersonation attack that exploits this vulnerability: Alice visits Mal- lory’s website (step 1), logs in using Facebook SSO (2), 2.1 Single Sign-On and receives an access token from Facebook (3). Then, Mallory’s client-side code running in Alice’s browser A typical single sign-on process involves three parties. forwards the access token to Mallory (4), which presents Alice first visits a web application and elects to use SSO the token to a vulnerable application’s server (5). After to login. She is then redirected to the identity provider’s confirming the token represents Alice, Foo’s application SSO entry point (e.g., Facebook’s server). After she logs server authenticates Mallory as Alice (6). into Facebook, her OAuth credentials are issued to the application server. The application server confirms the Facebook User identity and authenticates the client. 2. Login OAuth uses three different types of (rather confu- singly-named) credentials: 3. Issue credentials 4. Forward 1. Visit Access token. An access token represents permissions credentials Foo app server granted by the user. For example, the application may Mallory request that user grant permission to access the birth- 6. Authenticated day and friend lists from her Facebook account. Upon 5. Reuse credentials the user’s consent, a token will be issued and forwarded to the application which may then use it to obtain the granted information from Facebook. An access token Figure 1: OAuth credential misuse eventually expires, but may be valid for a long time. Code. A code is used to exchange for an access token Signed request misuse. Sometimes developers have through the identity provider. This exchange requires the chosen the correct OAuth credentials to use, but still end application’s unique app secret to proceed. If the secret up with a vulnerable implementation. One way this hap- does not match, Facebook will not issue the token. This pens is when information decoded from a signed request means a code is bound to a user as well as a target appli- is used but the signature is never checked using the cation. With Facebook SSO, the code expires after being app secret. The attack to exploit this vulnerability is 2 496 23rd USENIX Security Symposium USENIX Association similar to the previous one, except that Mallory needs tive source-sink pairs. However, these techniques require to reuse the signed request in addition to access token. white-box access to the application (at least at the level of its binary), which is not available for remote web appli- When a developer registers an appli- App secret leak. cation testing. Automated web application testing tools cation with Facebook, she receives an app secret. It that work on the server implementation [1, 8, 16] do not is essential for the application owner to keep it a se- apply to large-scale vulnerability testing well. They ei- cret because the app secret is used as the key to cre- ther require access to application source code or other ate signed requests and to access many other privileged specific details such as UML or application states. For functionalities. However, careless developers may reveal our purposes, the test target (application server imple- this secret to clients, especially when using code flow to mentation) is only available as a black box.
Load more

Recommended publications
  • Signing Me Onto Your Accounts Through Facebook And
    Signing Me onto Your Accounts through Facebook and Google: a Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services Rui Wang Shuo Chen XiaoFeng Wang Indiana University Bloomington Microsoft Research Indiana University Bloomington Bloomington, IN, USA Redmond, WA, USA Bloomington, IN, USA [email protected] [email protected] [email protected] Abstract— With the boom of software-as-a-service and social extensive commercial deployments as what happen on networking, web-based single sign-on (SSO) schemes are being today’s web, thanks to the increasing popularity of social deployed by more and more commercial websites to safeguard networks, cloud computing and other web applications. many web resources. Despite prior research in formal verification, little has been done to analyze the security quality Today, leading web technology companies such as of SSO schemes that are commercially deployed in the real Facebook, Google, Yahoo, Twitter and PayPal all offer SSO world. Such an analysis faces unique technical challenges, services. Such services, which we call web SSO, work including lack of access to well-documented protocols and code, through the interactions among three parties: the user and the complexity brought in by the rich browser elements represented by a browser, the ID provider (a.k.a, IdP, e.g., (script, Flash, etc.). In this paper, we report the first “field Facebook) and the relying party (a.k.a, RP, e.g., Sears). Like study” on popular web SSO systems. In every studied case, we any authentication scheme, a secure web SSO system is focused on the actual web traffic going through the browser, and used an algorithm to recover important semantic expected to prevent an unauthorized party from gaining information and identify potential exploit opportunities.
    [Show full text]
  • CIAM Platforms LEADERSHIP COMPASS
    KuppingerCole Report LEADERSHIP COMPASS by John Tolbert December 2018 CIAM Platforms This report provides an overview of the market for Consumer Identity and AcCess Management and provides you with a Compass to help you to find the Consumer Identity and ACCess Management produCt that best meets your needs. We examine the market segment, vendor product and service functionality, relative market share, and innovative approaChes to providing CIAM solutions. by John Tolbert [email protected] December 2018 Leadership Compass CIAM Platforms KuppingerCole Leadership Compass CIAM Platforms By KuppingerCole Report No.: 79059 Content 1 Introduction .................................................................................................................................... 6 1.1 Market Segment ...................................................................................................................... 7 1.2 Delivery models ....................................................................................................................... 9 1.3 Required Capabilities .............................................................................................................. 9 2 Leadership .................................................................................................................................... 12 3 Correlated View ............................................................................................................................ 20 3.1 The Market/Product Matrix .................................................................................................
    [Show full text]
  • Customer Relationship Management (CRM) Chapter Leads to the Most Arguments About Placement Whenever We Update This Book
    Retain › Introduction Introduction to Retain By this stage of the book you’ve probably realised that getting your customers’ attention through digital channels is only part of the battle. Holding on to that attention in order to build a long-term customer relationship is the next essential step. We’ve covered planning, building and driving traffic to carefully developed digital assets. The next few chapters deal with methods and tools for retaining the stream of potential and existing customers by building relationships with them and leading them to conversions. The Customer relationship management (CRM) chapter leads to the most arguments about placement whenever we update this book. A core approach in taking care 14 of and converting customers, CRM can be a core business strategy as well as an approach and should be considered at all stages of the customer journey. Content marketing lays out the building blocks for effectively using content, not advertising, to reach audiences. With users becoming increasingly blind to adverts Customer and wary of blatant promotional material, there is a strong need for brands to provide value in the forms of good content to engage and retain their audience. Being chosen as a customer’s preferred brand often hinges on how favourably you relationship are seen by others in the market. Being well represented on Social media, and implementing a sound Social media strategy, is important for brands marketing online. Monitoring sentiment around your brand, using online monitoring tools, will management help you to understand how digital communities perceive brands. Video marketing is another excellent tool for engaging and capturing your audience’s (CRM) attention.
    [Show full text]
  • Getting to Know Your Customers: the Emergence of CIAM Abstract
    Getting To Know Your Customers: The Emergence of CIAM Abstract Ten years ago identity and access management (IAM) solutions were rarely deployed beyond the company firewall, providing permissions and access rights to enterprise resources to employees and contractors. When available, the management of customer and partner access to a generally limited set of resources was often poorly coordinated. Today, however, a very different social, technology and business environment demands that enterprises make their customers’ online experience as sleek and personalized as possible. And to do this, enterprises are embracing a new breed of consumer or customer identity and access management (CIAM) solutions from their IAM vendors. The investment and commitment to CIAM are being driven by an ever- increasing sophistication of customer expectation in terms of a ‘joined up’ user experience and real-time availability of relevant resources accessible anywhere, anytime and from any device. Alongside the need to protect the ‘disappearing perimeter’ with adequate security is measured the need to address competitive advantage and maintain customer loyalty. Boosting transparency between marketing and lines of business has the potential to deepen the customer relationship. In this report, we investigate this emerging trend, what the major players are doing, and what should be the next steps for TechVision Research clients. This report covers: • The CIAM value proposition and business rationale for the enterprise • Getting the balance right between enterprise IAM (EIAM) and CIAM • TechVision Research’s shortlist of CIAM vendors • Eight steps an enterprise should take to best leverage CIAM Author: David Goodman, D. Phil Principal Consulting Analyst [email protected] Getting To Know Your Customers: The Emergence of CIAM David Goodman Table of Contents Abstract .............................................................................................................................................................................
    [Show full text]
  • 10 Best Practices to Drive On-Site Engagement.Pdf
    10 BEST PRACTICES TO DRIVE ON-SITE ENGAGEMENT Contents Introduction 3 Leverage Existing Social Identities 4 Define Reasons to Register 5 Provide a Welcoming Return Experience 7 Encourage Users to Link Multiple Social Accounts 8 Encourage Social Sharing 9 Drive Engagement by Including Friends 10 Optimize for Mobile Browser Experiences 11 Reward Participation and Loyalty 12 Offer Ratings and Reviews 13 Test, Learn and Iterate 14 Conclusion 15 tm Introduction Introduction Today’s connected consumer has a number of fundamental expectations about what they should be able to do online Regardless of the type of website (media, entertainment, retail, consumer brand, etc ), people increasingly expect an element of social interactivity This shift in behavior creates new acquisition and engagement opportunities, and thankfully the tools that enable marketers to step up to this challenge are continually improving This paper explores best practices for incorporating social technologies into your site, including key considerations for how, when, why and where to integrate social components to maximize the experience as well as your return, along with some real-world examples We’ll cover these opportunities to integrate social: • Social Login • Social Sharing • Leveraging the Social Graph • Loyalty and Rewards • Mobile and Tablet Consideration Copyright © 2013 Janrain Inc All rights reserved On-Site Engagement | www janrain com | 888 563 3082 PG3 tm 1 Leverage Existing Social Identities When people arrive at a website, many of makes the process quick
    [Show full text]
  • On the Security of Single Sign-On
    On the Security of Single Sign-On Vladislav Mladenov (Place of birth: Pleven/Bulgaria) [email protected] 30th June 2017 Ruhr-University Bochum Horst G¨ortz Institute for IT-Security Chair for Network and Data Security Dissertation zur Erlangung des Grades eines Doktor-Ingenieurs der Fakult¨atf¨urElektrotechnik und Informationstechnik an der Ruhr-Universit¨atBochum First Supervisor: Prof. Dr. rer. nat. J¨org Schwenk Second Supervisor: Prof. Dr.-Ing. Felix Freiling www.nds.rub.de Abstract Single Sign-On (SSO) is a concept of delegated authentication, where an End- User authenticates only once at a central entity called Identity Provider (IdP) and afterwards logs in at multiple Service Providers (SPs) without reauthenti- cation. For this purpose, the IdP issues an authentication token, which is sent to the SP and must be verified. There exist different SSO protocols, which are implemented as open source libraries or integrated in commercial products. Google, Facebook, Microsoft and PayPal belong to the most popular SSO IdPs. This thesis provides a comprehensive security evaluation of the most popular and widely deployed SSO protocols: OpenID Connect, OpenID, and SAML. A starting point for this research is the development of a new concept called malicious IdP, where a maliciously acting IdP is used to attack SSO. Generic attack classes are developed and categorized according to the requirements, goals, and impact. These attack classes are adapted to different SSO proto- cols, which lead to the discovery of security critical vulnerabilities in Software- as-a-Service Cloud Providers, eCommerce products, web-based news portals, Content-Management systems, and open source implementations.
    [Show full text]
  • 80061 Leadership Compass Consumer Authentication 2019
    KuppingerCole Report LEADERSHIP COMPASS by John Tolbert September 2019 Consumer Authentication This report provides an overview of the market for Consumer Authentication products and services and provides you with a compass to help you to find the Consumer Authentication product or service that best meets your needs. We examine the market segment, vendor product and service functionality, relative market share, and innovative approaches to providing Consumer Authentication solutions. by John Tolbert [email protected] September 2019 Leadership Compass KuppingerCole Leadership Compass Consumer Authentication Consumer Authentication Report No.: 80061 By KuppingerCole Content 1 Introduction ................................................................................................................................. 6 1.1 Market Segment ....................................................................................................................... 7 1.2 Delivery models ........................................................................................................................ 7 1.3 Required Capabilities ................................................................................................................ 7 2 Leadership.................................................................................................................................. 11 3 Correlated View ......................................................................................................................... 19 3.1 The Market/Product
    [Show full text]
  • Customer Identity and Access Management, Q2 2017 Top Eight Providers That Matter Most and How They Stack up by Merritt Maxim June 15, 2017
    FOR SECURITY & RISK PROFESSIONALS The Forrester Wave™: Customer Identity and Access Management, Q2 2017 Top Eight Providers That Matter Most And How They Stack Up by Merritt Maxim June 15, 2017 Why Read This Report Key Takeaways In our 20-criteria evaluation of customer IAM Gigya And Janrain Lead The Pack (CIAM) providers, we identified the eight most Forrester’s research uncovered a market significant ones — Auth0, ForgeRock, Gigya, in which Gigya and Janrain lead the pack. Janrain, LoginRadius, Microsoft, Ping Identity, Salesforce, ForgeRock, and Ping Identity offer and Salesforce — and researched, analyzed, competitive options. Microsoft, LoginRadius, and scored them. This report shows how each and Auth0 lag behind. provider measures up and helps security and S&R Pros Want Secure, Seamless Digital risk professionals make the right choice for their Experiences For Customers digital businesses. The CIAM market is growing because more S&R professionals increasingly trust CIAM providers to help solve key customer IAM challenges and support customer-centric digital transformation initiatives. Every vendor in this Forrester Wave™ is tracking toward this goal. Analytics, Customer Data Management, And Geographic Coverage Are Key Differentiators As home-grown, disparate technologies for managing customer identity and access become more expensive to administer and less effective, improved customer analytics, customer data management, and the ability to service customers in multiple geographies will dictate which providers will outpace their competitors.
    [Show full text]
  • The Value of Social Login Solving the Engagement Gap Insights from Consumer Research
    The Value of Social Login Solving the Engagement Gap Insights from Consumer Research tm + As marketers we endeavor to communicate meaningful and authentic dialogues with consumers. But 98% of people say the information we’re trying to share is misaligned. Almost all 10% Q the time Frequently 48% “How often do companies send 98% are information, promotions, etc. mistargeted not relevant to you?” Infrequently 40% Never 2% Q1. How often, if at all, have you experienced a situation where a company has sent you information, promotions, etc. that are not relevant to you? n=593 Why are we having this problem? We need to know who we’re talking to in order to be relevant. Site registration aims to solve this problem. But why doesn’t it always work? For one, people are account fatigued, and more resistant to registering. 53% have 5+ usernames 57% have 5+ passwords *** Q *** “How many 29% have 4—5 usernames *** di!erent *** usernames and 26% have 4—5 passwords *** *** passwords have *** you created 15% have 2—3 usernames *** *** online? 16% have 2—3 passwords *** 3% have 0—1 usernames 1% have 0—1 passwords Q6A. You may not use, let alone remember, all of the di!erent username and passwords that you have created online. However to the best of your knowledge, how many di!erent usernames have you created online for sites that require a username and password? n=593 Even after they’ve created an account, many have forgotten login information and decide to leave sites. Q 92% “How often have 61% have left instead of Qyou gone to a A Few resetting or recovering ? Times website, forgotten login information.
    [Show full text]
  • Quarterly Review of the Software & Internet Sector
    Quarterly Review of the Software & Internet Sector Q4 2014 Member: FINRA / SIPC About Navidar Navidar is an investment banking firm providing companies and investors in dynamic industries with strategic M&A advice, capital raising solutions, vital insights and breakthrough opportunities. ■ Big Firm Experience Combined with Senior Banker Attention ■ Global Relationships with Top-Tier Investors and World-Leading Companies ■ Greater Creativity and Customized Solutions ■ Focused on the Middle Corridor of the United States Past Transactions Executed by Navidar October 2014 September 2014 June 2014 April 2014 Has been acquired by Has acquired Has been acquired by Has been acquired by Buyside Advisor Sellside Advisor Sellside Advisor Sellside Advisor March 2014 December 2013 October 2013 December 2012 Has been acquired by Has acquired Has been acquired by Private Equity Placement Sellside Advisor Buyside Advisor Sellside Advisor October 2012 August 2012 February 2012 February 2012 Has been acquired by Has been acquired by NOL Shareholder Rights Capital Structure Review Plan Sellside Advisor Sellside Advisor October 2011 July 2011 January 2011 January 2011 January 2011 Has been acquired by Has been acquired by Debt Placement Sellside Advisor Sellside Advisor Private Equity Placement Debt Placement July 2010 July 2009 November 2010 January 2009 Has acquired World Golf Systems Group PLC Private Equity Placement Recapitalization Private Equity Placement Buyside Advisor Note: Transactions above only represent a sample of past transactions executed
    [Show full text]
  • Archive for March, 2010 Authenware Joins Openid Foundation
    Archive for March, 2010 Authenware Joins OpenID Foundation Posted at 4:44 pm on March 12, 2010 by jfe Authenware today announced its membership in the OpenID Foundation – an industry organization aimed at protecting identities and intellectual property through the bolstering online security. Through its membership, Authenware becomes part of a community of IT powerhouses that seeks to collectively build awareness of the emerging digital security pandemic. “The exploitation of security vulnerabilities creates a major obstacle for the expansion of the Internet as a trusted vehicle for communication and commerce,” said Tom Helou, president of Authenware. “For such a reason, we sought membership within the OpenID Foundation and are proud to partner with a broad spectrum of online leaders who share our values of security, privacy and strong identification.” This entry was posted on Friday, March 12th, 2010 at 4:44 pm and is filed under News, Press Releases. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site. theSocialWeb.tv on the launch of the Open Identity Exchange Posted at 11:48 am on March 9, 2010 by Chris Messina theSocialWeb.tv visits Citizen Space in San Francisco during the RSA Conference to sit down with Don Thibeau of the OpenID Foundation and Drummond Reed of the Information Card Foundation to discuss the launch of the Open Identity Exchange, the result of a year-long collaboration between the two foundations. John McCrea and Chris Messina dive into the details of this announcement and what it means for the social web.
    [Show full text]
  • Beyond Marketing: Why Digital Disruption Requires a Deeper Transformation
    Beyond Marketing: Why Digital Disruption Requires a Deeper Transformation By: Tim Walters, Ph.D. Highlights 3 5 9 12 Understanding How digital disrupts Beyond marketing: Conclusion: Grasp the disruption Coming to terms with true meaning of the digital disruption “consumerization of IT” Sponsored by Executive Summary The forces of digital disruption have toppled established business models, magnified the significance of digital channels and competences, and initiated the “customer-centric era.” Chief marketing officers (CMOs) and their marketing organizations would seem to be ideally positioned to lead the organizational response to these disruptions. Marketing typically owns the customer relationship and has developed sophisticated methods for understanding and communicating with customers. Indeed, many of the vendors and service providers who aim to help companies with customer experience management (CEM) have focused their attention on marketing professionals and processes. Surprisingly, however, CMOs are rarely at the forefront as companies tackle the digital innovations necessary to attract and retain empowered consumers. Accenture recently surveyed C-level executives in 20 countries and found that the CEO was responsible for such initiatives in 35% of the organizations, followed by the CTO (23%) and the CIO (22%). The CMO? Virtually invisible at 1%.1 Such results do not indicate a lack of will or skill on the part of CMOs and marketing professionals. Rather, they show that the forces at work in digital disruption have not only granted consumers unprecedented voice and choice — they have also fundamentally transformed the business environment and the capabilities required for business success. Digital is so disruptive because it radically accelerates and warps not only the customer relationship but also the entire process from product innovation to customer satisfaction.
    [Show full text]